AIP SSM 20 ver-5.1(6)E1, ASA 5520 ver-8.0(2), password recovery

Unanswered Question
Feb 19th, 2008

Hi,


I have ASA 5520 running ver 8.0(2) and AIP-SSM-20 version 5.1(6)E1. I lost the password and in the process to recover I tried loading the image on AIP-SSM-20. The image I am trying to load is IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img but the status on ASA still shows Recover. I am using the following configuration.

=============

AUFWMEL01# sh module 1 recover

Module 1 recover parameters...

Boot Recovery Image: Yes

Image URL: tftp://andrewl-IP/IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img

Port IP Address: 10.10.0.250

Gateway IP Address: H-10.10.0.254

VLAN ID: 0

==================

Under Port IP Address I have given the IP address of IPS (I was not sure what this means). Status "Recover" did not change for a day and then I stopped it. Tried again and the status is still the same.


What could be the issue and what is the solution to this problem. The document does not mention the time it will take to recoever and there is no way to monitor the progress. Any help / pointers in the right direction appreciated.


Regards

Manoj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
marcabal Tue, 02/19/2008 - 17:56

Execute "debug module-boot".

The SSM runs a ROMMON similar to the ASA.

However, the user does not have direct access to the SSM Rommon.

The "debug module-boot" allows users to see the SSM ROMMON messages from the ASA console.


Watch the SSM ROMMON output and you maybe able to see what error is happening. More than likely something is misconfigured in your recovery configuration. If ROMMON is not able to download the file, the SSM reboots and ROMMON tries again. It continues to repeat this cycle until you stop it or fix the recover configuration.


My best guess in looking at your output from the post is that your filename may be incorrect.

Your filename listed is:

/IPS-SSM-K9-sys-1[1].1-a-6.0-3-E1.img

But it should likely be:

/IPS-SSM-K9-sys-1.1-a-6.0-3-E1.img

without the "[1]" in the name.


In addition you need to use an IP Address for the tftp server. It looks like you may have used a machine name instead of an IP.


You are correct that the port IP is the same IP you used for the SSM management IP.


Other usual problems are using the wrong directory location on the tftp server.


manojsaxena Wed, 02/20/2008 - 15:40

Hi,


Your post was really helpful in identifying whats happening in the backend. But I keep getting this error. I have tried with different versions of the image. I am using tftpd32 (recommended by Cisco).

==============

AUFWMEL01# sh debug

debug module-boot enabled at level 1

AUFWMEL01# Slot-1 9> Cisco Systems ROMMON Version (1.0(11)2) #0: Thu Jan 26 10:43:08 PST 2006

Slot-1 10> Platform ASA-SSM-20

Slot-1 11> GigabitEthernet0/0

Slot-1 12> Link is UP

Slot-1 13> MAC Address: 001b.d588.865b

Slot-1 14> ROMMON Variable Settings:

Slot-1 15> ADDRESS=10.10.0.250

Slot-1 16> SERVER=10.10.0.28

Slot-1 17> GATEWAY=10.10.0.254

Slot-1 18> PORT=GigabitEthernet0/0

Slot-1 19> VLAN=untagged

Slot-1 20> IMAGE=IPS-SSM-K9-6-0-3-E1.img

Slot-1 21> CONFIG=

Slot-1 22> LINKTIMEOUT=20

Slot-1 23> PKTTIMEOUT=4

Slot-1 24> RETRY=20

Slot-1 25> tftp [email protected] via 10.10.0.254

Slot-1 26> TFTP failure: Packet verify failed after 20 retries

Slot-1 27> Rebooting due to Autoboot error ...

Slot-1 28> Rebooting....

===========


Thanks for your help.


Regards

Manoj

manojsaxena Wed, 02/20/2008 - 18:18

For the benefit of others I am giving below the resolution of this problem.


In the setup, IPS and ASA inside network were the same and ASA inside IP was the default gateway. So when I configured the "hw-module module 1 recover config" I gave the ASA inside IP address as the default gateway (which was not wrong). Because my tftp was also on the same subnet there was no need of a default gateway. So if you give the IP address of TFTP server as your default gateway the problem will be resolved.


Important please ensure the Network cable is connected to the AIP-SSM module and can reach the tftp server.


Regards

Manoj

Actions

This Discussion